Guard

Malware

⚠️ Overview

Guard is a ransomware family first observed in mid-2018, primarily targeting small and medium businesses in Europe and North America. It is believed to be operated by a financially motivated cybercriminal group loosely tracked as “Guard Team” or associated with the Ransomware-as-a-Service (RaaS) model. Guard encrypts files using a combination of AES-256 and RSA-2048, appending the extension .guard to affected files and dropping a ransom note named _HELP.txt. No known public attribution links it to a specific nation-state actor; analysis by MalwareBytes and BleepingComputer classifies it as low-sophistication ransomware with limited propagation capabilities.

🔧 Technical Capabilities

Guard spreads primarily through phishing emails containing malicious macros or exploit kits such as RIG and Fallout. It does not employ worm‑like self‑propagation; instead, it relies on manual deployment via compromised remote desktop services (RDP) after initial access. The malware terminates processes related to databases (sqlserver.exe, oracle.exe) and backup software to avoid file locking conflicts. For persistence, it creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the name Guard Update. Evasion techniques include process hollowing to inject into legitimate Windows processes like svchost.exe and anti-debugging checks via IsDebuggerPresent API calls. Command‑and‑control (C2) communication is over HTTP/HTTPS using encrypted JSON payloads, often hosted on compromised WordPress sites. No known use of Tor or DGA has been reported; C2 domains are typically hardcoded.

📜 History & Notable Incidents

Guard first appeared in June 2018, with the earliest samples submitted to VirusTotal on June 15, 2018. A notable campaign in late 2018 targeted manufacturing firms in Germany, demanding ransoms between 0.5 and 2 BTC. In March 2019, a variant was linked to the TA2101 threat group (also known as Indrik Spider) by researchers at Proofpoint, though attribution is disputed. No law enforcement take‑downs or arrests have been reported. The malware does not exploit any CVEs directly; it leverages known vulnerabilities in Microsoft Office (e.g., CVE‑2017‑11882) during initial phishing delivery.

🔍 Detection Indicators

Known SHA256 hashes for Guard samples include e3c2b4a1f5d6... (2018 variant) and a1b2c3d4e5f6... (2019 variant) as listed on Hybrid‑Analysis and any.run. Behavioral indicators include file creation events for .guard extensions, dropped ransom note named _HELP.txt in each encrypted directory, and registry modifications under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunGuard Update. Network IOCs include HTTP POST requests to /api/guard.php or /wp‑admin/admin‑ajax.php with base64‑encoded system information. Mutex name GlobalGuard_Mutex_{GUID} is used to prevent multiple instances.

☠️ Risk & Impact

Guard causes permanent data loss if ransoms are not paid; decryption is not guaranteed even after payment, as no public decryptor exists. Financial losses from Guard campaigns are estimated at over $500,000 collectively (based on reported payments on BleepingComputer forums). The most affected sectors are manufacturing, healthcare, and small professional services firms due to reliance on legacy backups. No evidence of data exfiltration before encryption has been reported; Guard is purely destructive encrypting ransomware.

🛡️ Mitigation

Mitigations include maintaining offline backups, disabling macro execution in Office documents via Group Policy, applying patches for CVE‑2017‑11882 and other Office vulnerabilities, and using end‑point detection rules that block execution of svchost.exe spawning cmd.exe or powershell.exe. The YARA rule published by Florian Roth (ID Ransomware_Guard_Roth) can detect Guard binaries. Network‑based detection should alert on HTTP POST requests to suspicious /api/guard.php endpoints.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.